Regsvr32started By Office Application

# Detect when Regsvr32.exe is created as subprocess by an Office Application ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1218.010 | System Binary Proxy Execution: Regsvr32 |Access https://attack.mitre.org/techniques/T1218/010/ | #### Description Regsvr32 can be abused to proxy execution of malicious code. It can be spawned from a Office Application to infect the system with malware. The Office applications would not spawn Regsvr32 themselfs. #### References - https://redcanary.com/threat-detection-report/threats/TA551/ - https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/ ### Defender For Endpoint ``` let OfficeApplications = dynamic(['winword.exe', 'powerpnt.exe', 'excel.exe']); DeviceProcessEvents | where FileName == "regsvr32.exe" | where InitiatingProcessFileName has_any (OfficeApplications) | project Timestamp, DeviceName, AccountName, AccountDomain, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName ``` ### Sentinel ``` let OfficeApplications = dynamic(['winword.exe', 'powerpnt.exe', 'excel.exe']); DeviceProcessEvents | where FileName == "regsvr32.exe" | where InitiatingProcessFileName has_any (OfficeApplications) | project TimeGenerated, DeviceName, AccountName, AccountDomain, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName ```

Explanation

This query detects when the Regsvr32.exe process is created as a subprocess by an Office application. It looks for instances where the Regsvr32.exe file is executed and the initiating process is one of the Office applications (winword.exe, powerpnt.exe, excel.exe). The query retrieves information such as the timestamp, device name, account name, account domain, process command line, initiating process command line, and initiating process file name.

KQL Search

Regsvr32started By Office Application

Query

Explanation

Details

Actions